Prevention, Detection, Mitigation

Transcription

1 Thesis for the Degree of DOCTOR OF PHILOSOPHY Multifaceted Defense Against Distributed Denial of Service Attacks: Prevention, Detection, Mitigation Zhang Fu Division of Networks and Systems Department of Computer Science and Engineering Chalmers University of Technology Gothenburg, Sweden 2012

2 Contents Abstract i Acknowledgments iii List of Appended Papers v I INTRODUCTION Overview Background Categories of DDoS Attacks Semantic attacks Brute Force attacks Attack Tools Challenges for DDoS Defense State-of-the-art of DDoS defense Network-defense mechanisms Application-defense mechanisms Contribution of the thesis Applications defend DDoS attacks using port hopping Lightweight filter balancing throughput and protection trade-off Complementing the network-capability mechanism ix

3 X CONTENTS Tuning the granularity of traffic control Scalable online DDoS detection Chapters outline Conclusions and future research questions 31 Bibliography 33 II PAPERS 41 2 PAPER I: Mitigating Distributed Denial of Service Attacks in Mul tiparty Applications in the Presence of Clock Drifts Introduction Problem and System Model Definitions Protocol for Single Client Case Overview Contact-Initiation Part Sending the Application Data Adaptive Hopping Period: the HoPERAA.. Algorithm Supporting Multiple Clients: the BlGWHEEL Algorithm Analysis Experimental Study Discussion Conclusions 79 Bibliography 81 3 Paper II: Off The Wall: Lightweight Distributed Filtering to Miti gate Distributed Denial of Service Attacks Introduction Problem and System Model Definitions SIEVE Overview Design Details Bootstrapping connection setup Lightweight traffic filtering 98

4 CONTENTS xi Using SIEVE as a complementary filter Analysis Effectiveness of protecting connection setup Filter effectiveness Induced latency by routing via overlay nodes Simulation Study Ill Connection setup simulation Ill Traffic filtering simulation Related work Overlay-based DDoS mitigation Other solutions Conclusion 119 Bibliography PAPER III: Mitigating Denial of Capability Attacks Using Sink Tree Based Quota Allocation Introduction Sink Tree-Based Quota Allocation Quota Allocation Dealing with IP Spoofing and Early Acquiring within Domains Analysis of the Algorithm Overhead Evaluation Experimental Study Discussion and Future Work 141 Bibliography PAPER IV: CluB: A Cluster Based Framework for Mitigating Dis tributed Denial of Service Attacks Introduction Related Work System Model Overview of CluB Framework 153

5 CONTENTS Coordination authorities Authentication tokens Egress/Ingress Checking Routers The Basic Protocol in CluB Permission Requesting Packet Encapsulation Packet Forwarding Filtering replayed packets Token-Refreshing Analysts and Evaluation Filtering efficiency Filtering efficiency comparison between CluB and the capability-based mechanism Effect of packets flooding to the checking routers Controlling the Granularity of Clusters Further Discussion Controlling the checking process Dealing with valid packets flooding Conclusion and Future Work 178 Bibliography 178 Paper V: STONE: A Stream-based DDoS Defense Framework Introduction System Model Basic System Model Threat Model Anomaly-based Detection Stream Processing Engine (SPE) Model Overview of STONE Structure Building Profiles and Detection Methods Comparison system STONE-Detailed Description 198

6 CONTENTS xiii Data aggregator Detection Control Center Filter Component Evaluation Data Description and Evaluation Setup Memory Consumption Scalability evaluation Mitigation effectiveness Detection accuracy Related Work Conclusion 223 Bibliography 223 Example of the Exponential Histograms 227 Example of weighted features 228